Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I just configured this at my home on a SRX210 with flow mode using 11.1R2.3 and have no issues with initial connectivity. One thing that I am running into is that the default tcp timeouts for ipv6 are very very short, like 30 seconds or so. This is causing connectivity issues as all of the host applications still think the session is up.

Anyone seen this? I'm not that familiar with IPv6, so I'm not sure if tcp timeout shoudl be lower than v4.. I would think not...

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

There is no reason for the timeouts of ipv6 to be shorter than ipv4. 30 seconds is extremely short for TCP. Could it be that there is some sort of assymetric routing going on? If the SRX only sees the client->server traffic but not server->client traffic, things like this could happen as the SRX will never see a completed 3-way handshake and will remove the session again (after some 20 seconds iirc).

Update: one other possibility is that a filter with "then packet-mode" is applied on all ingress traffic but not egress. This will cause the security module of the srx to only see one direction of the traffic flow which is just like assymmetric routing. Those packet-filters are no longer needed in 11.1R2 though - my tunnel works fine without it.

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I believe you nailed it actually.. Looking at the flows, there is no return traffic from the server.. The website brings up a page just fine however. Which is odd that it works.. I do not have any assymetric routing going on. Must be something goofy with a policy or something?

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Another note: I can ping everything succesfully, ipv6 does infact work.. However something in the SRX is wonky as its not reporting and return traffic in the flows. I tried the workaround, made no difference.

I attached the config from my security policy.. its very very basic as I'm just trying to get things to work right now.

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Thank you for posting your snippet. I used this successfully on my 10.4R4 (SRX210) and got my SixxS tunnel working again (it broke after I followed JTAC's recommendation to downgrade from 11.x to address spontaneous chassis reboots).

Kudos given, I just wanted to thank you again for the workaround and the link explaining "how/why this workaround... works."

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Well, now I'm very happy! With the recommendations on configuring the firewall filter, along with a couple of sample configurations from a Google search for 'SRX Hurricane Electric IPv6', I have a working configuration for he.net's tunnel broker on a SRX220 running Junos 11.4R1.6.

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

is there a working flow-based config for 6in4 tunnels yet? packet-based in 10.3 worked fine, didn't attempt any flow workarounds for it. i've tried all workarounds mentioned here for 10.4 and a few others to no avail.

---> "On all branch SRX Series devices, IPv6 tunnels over IPv4 network does not work in flow mode. [PR/741765 : This issue has been resolved.]"

First, I deactivated my firewall filter which forced all protocol 41 traffic to/from my HE.net tunnel broker previously handled in PACKET-MODE and forced it to be handled in FLOW-MODE.

Unfortunately, this did not work. TCP traffic appeared to be the issue as UDP and ICMP was functional. My ip interfaces MTU was 1480 and I'm using path-mtu-discovery on the tunnel. I even enabled tcp-mss at 1420 but with no success. I didn't have time to dig any further and will test more later this evening.

Has anyone else seen the same results after upgrading to 12.1R2.9 and placing the 6in4 tunnel traffic back in FLOW-MODE by deactviating the firewall filters we created earlier in this thread?

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

pheller10 wrote:I've deactivated my firewall filters that force the tunnel traffic to packet mode, and all seems to be working well.

Ok, I spoke too soon. While deactivating the firewall filters under 12.1R2.9 did allow end-to-end connectivity, it also seems to treat all tunneled traffic as packet-mode, thus bypassing all security policy.

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I just upgraded to 10.4R10.7, and now IPv6 routing seems to be completely broken. I can ping IPv6 hosts over the tunnel from the SRX itself, but from anything on the inside, everything IPv6 breaks at the SRX. It worked fine in 10.4R9.2

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

So it appears I've found the cause of MY problem. Seems like another bug/defect to me. I had to disable "security > flow > tcp-session > strict-syn-check" to get TCP to work. It seems strict-syn-check doesn't work with the IPv6 traffic when tunnel in IPv4 (6IN4) all in FLOW-MODE.

Anyway, after I deactivated my protocol 41 > packet-mode filter the only thing that wouldn't work was tcp packets after the 3-way handshake. For example, a three way handshake would complete and I could initially send data, or so it seemed, but then I would never see a response to my packet. A very simple example using a curl HEAD request to an IPv6 host webserver, which looks like this:

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Hi,
Is there already a case opened to JTAC?
With my configuration I'm able to ping the internet from my VLAN interface. The pc's in this lan are not able to
reach the internet.
I'm using flow-based with JUNOS Software Release [12.1R2.9]
Regards